Month: April 2005

I’ll admit it: I don’t really get WS-MetadataExchange (or WS-MEX, as it’s affectionately known). I understand why someone might want to get the Scheme, WSDL, and WS-Policy data for a service. I’m just not clear on why a simple URL isn’t good enough. Why do we need to invent new RPC-style request/response pairs?

I guess I can see that this allows me to have one URL for the service that can be interrogated for all three in a standard way. Otherwise, I have to tell you three URLs to give you the metadata instead of one, but couldn’t we just as easily agree to some kind of convention like this:

This seems much simpler and easier to implement that a request response pair. Plus, I can still grab each of these important documents in a browser and inspect them when I want without having to have a special tool. Am I missing something?

Before turning to the specific issue of why metadata exchange works the way it does, let's think for a minute about why you need it in the first place. The intent is to allow web service providers and consumers to be loosely coupled and negotiate the interfaces, infrastructural services and functional units they require.

To get more specific, let's take an example clear to those of us who work in the identity space. In previous discussions, we've drilled into the advantages of conceiving of digital identities as sets of claims. How would a relying party specify the specific claims it requires? How would it specify the parties from which it is willing to accept such claims (I'm struck by how easy it was to avoid the use of the word ‘trust’ in this sentence)? How would it indicate the types of underlying technologies and token formats which could be used to convey those claims? Finally, how can we create an infrastructure that subordinates, to the extent possible, these decisions to dynamic operational policies, rather than requiring software designers to hard code them?

Clearly Phil understands these motivations, and his question is about the design choice in using a new (if hyper simple) protocol rather than a basic HTTP GET.

To round up the best possible answer, I pinged Don Box, a person of great depth and wisdom who thinks about these issues as long and hard as people like us think about identity issues. He answered this way:

Since I was one of the offending parties, let me try to make clear why we did it.

We wanted a way to retrieve metadata for services using the same protocols we use to talk to those services.

It’s tempting to just use HTTP GET with query string hackery. In fact, this is exactly what we did in V1 (ASMX).

However, here are a few issues with that approach:

To date, we’ve avoided telling people how to form their URI. We’d like to keep it that way if possible.

Not all services will support HTTP. In Indigo, it’s common to expose an endpoint that only listens over IPC or SOAP-over-TCP.

We wanted metadata retrieval to compose with things like WS-Security.

We wanted to have one discoverable mechanism that would scale to arbitrary forms of metadata. In its simplest form, a MEX reply enumerates all of the supported metadata formats a given endpoint supports. For people building generic inspection/diagnostics/management tools, this is pure goodness.

All of this stated, ASMX still supports ?WSDL as does Indigo (if you enable it).

Using plain-old-HTTP-GET isn’t a bad solution – it just doesn’t always work. When it does, though, it’s a beautiful solution.

You can see why I'm so fond of Don. Someone designing protocols who cares as much about inspection and diagnostic and management tools as he does about the specific value of the protocol. Maybe time really is moving forward.

Let's welcome Don Bowen (a.k.a. Wizard of IdM) to the blogosphere… Don has been involved in identity issues for many years, and was one of the first people to deploy a metadirectory when he was at Caterpillar and I had just finished the very first version of ZOOMIT VIA. We had a great time working together.

There is a gripping identity Battle of the Titans going on between Stefan Brandt (from Credentica and McGill) and SuperPat (Pat Patterson of Sun Microsystems) on their respective blogs. It is really a good and fascinating discussion.

There are too many pieces going back and forth for me to get this completely right, but as far as I can tell Stefan started the canon ball rolling with a piece he wrote just after the release of the preliminary report by the London School of Economics on the British ID Card initiative (my piece on the initiative is here). SuperPat added a comment asking why Stefan thought Liberty was related, and Stefan obliged with a piece where he went further, describing Liberty as being, in some of its underlying protocol design, potentially “panoptical” (a reference to Jeremy Bentham's prison observation system).

SuperPat responded that while the underlying SAML protocols could be misued, the very specialization of the identity provider role will lead to providers whose business is dependent on being trusted and protecting private infomation. He argues that use of a well-chosen trusted third party identity provider has benefits which compensate for any ensuing loss of privacy.

That leads to another piece by Stefan which drills down even further into how it is possible to avoid some of these problems by introducing new protocols and cryptographic technologies. So there is a subterranean “policy versus technology enforcement” theme here.

(Trying to write about this debate left me feeling like someone who has taken an engine apart and ended up with screws left over after putting it back together. Somehow, Stefan also posted this – and Peter Davis added a comment here.)

It's my view that anyone who follows this debate will find it fascinating. This is “the real thing”. I think Liberty marks a big step forward towards deployable intercorporate identity systems. I think Stefan offers important ideas that we must be able to plug into the emerging identity metasystem. I think his reactions warn us to be careful of overstating the privacy and other benefits of the systems we do put in place. I think Pat Patterson deserves an award for his serenity in face of the word “genuine”. And I think we can work all of these issues out as we go forward.

I met with Phil Windley in person recently. We had a great exchange of ideas, and I was fascinated by his nuanced comments about identity and context.

I have the feeling I won't shock too many people by saying I am not the world's biggest fan of using the word “trust” to describe the means by which we evaluate the truthfulness of digital identity claims. And I have to hand it to Phil for humoring me during our conversation… But this caveat aside, I think Phil is onto something important when he talks about the one-time use of third-party claims to “transfer trust” – for example, the use a government identity to introduce oneself to a bank, even though it would not make sense to use that identity for daily transactions. This is an insightful contribution to the third law.

Phil has a special facility for concrete examples enriched by his long experience, including that as CIO of Utah. Phil blogged about some of these ideas today.

Identity credentials have contexts. When I was talking to Kim Cameron, he used the example of a Government issued passport and coffee club card. The context for the passport is a border crossing. The context for the coffee club card is buying coffee. Identity credentials are often used out of context. Sometimes, out of context use doesn’t make sense—think of presenting the coffee club card during a border crossing.

Other times, however, it’s a critical part of establishing a relationship or transferring trust. As an example, you might use a credit card to pay for your purchase at the coffee shop and be asked to present some kind of identity credential. In that case, using your passport at the coffee shop would be out of context, but you’d be doing so to transfer the trust that the government has that you are a particular person to the coffee shop cashier.

One identity credential that’s frequently used out of context is the driver’s license. Interestingly, if you ask the head of your State’s driver’s license bureau if the driver’s license is an identity document, you’ll probably be told no—its official purpose is to authorize you to drive.

A recent move by the Utah Legislature to issue “driving privilege cards” (DPC) instead of driver’s licenses to illegal aliens belies that. You might be scratching your head and asking why anyone would issue a driver’s license to someone in the country illegally. The answer is very practical. Illegal aliens drive. When they drive, they sometimes get into accidents. Without a driver’s license, they can’t get auto insurance. By not giving illegal aliens a driving permit of some kind, you create a huge pool of uninsured motorists.

Issuing a DPC sends the message, loud and clear, that the driver’s license is an identity document that is frequently used out of its original context. Of course, as a private citizen, you’re free to recognize the driving privilege card as an identity document if you like. I suspect, for example, that it will be readily accepted as proof of age by convenience stores that want to sell beer and cigarettes. That kind of out of context use will continue.

The legislation specifically rules out certain contexts. For example, the DPC cannot be used to identify yourself when you fly. Nor can it be used to claim certain government benefits. Getting a driver’s license opens the door to all kinds of opportunities in our country. The intent is that the DPC will not.

There’s a dark side to the DPC as well. I can be pretty sure that anyone presenting a DPC is illegal. This opens the door to all kinds of discrimination and abuse. Whether the DPC catches on remains to be seen. The Federal Real ID legislation will probably force other States down this or similar paths.

Phil has a book on Identity Management in the works which I'm sure readers of this blog will consider a thriller! He also just did a podcast for IT Conversations with Dan Solove, author of the Digital Person. If you missed my discussion of Solove's ideas, I join Phil in strongly recommending this book.

Kim Cameron has just posted here on Stephen Deadman‘s recent paper concerning the legal implications of establishing a Liberty Circle of Trust.

Having just returned from the Liberty Sponsors‘ meeting, I think I can safely say that coffee-break conversation did sometimes turn to the topic of Kim‘s blog, and even if there were some specifics on which people might disagree, there was also a general appreciation of the way in which Kim‘s work brings important topics into the public domain in a constructive way, allowing different views to be aired.

That's very cool. Robin and the folks he describes have done a lot of really good work and I look forward to every opportunity to dialog with them.

There were just two sentences in Kim‘s post on which I wanted to offer my own personal comment, and here they are:

1 “The legal complexities of this style of federation are significant, and they must all be considered.”

I agree with the sentiment entirely… but not necessarily with the hint of an implication that there are other styles of federation which might be legally less complex. Federation is one of the possible approaches to fixing the problem of trusted, interoperable authentication between multiple parties. My instinct is that relationships of that kind will give rise to pretty much the same legal complexity no matter which organisational and technical approach one adopts. It‘s just a tough (but not insoluble) problem.

Well, I want to assure Robin that this was not intended as a “complexity swipe” at Liberty or anyone else. I totally agree with the formulation that the policy problems are “tough but not insoluble.” Further, the Liberty participants should be congratulated for their leadership in thinking about the policy side of things and centering their thinking in concrete scenarios and use cases. These ideas are real contributions.

I contrasted possible “styles of federation” without giving you the slightest context for what I was thinking – sorry about that! Blame it on the rain.

Basically, I think there exists a second set of what Jamie Lewis is calling “personal” identity scenarios, and that such scenarios can be less complex from a policy point of view – when done right – than intercorporate scenarios. But that doesn't meanthey replace intercorporate scenarios or represent some kind of “silver bullet” or higher path! Both sets of scenarios need to be solved. They are complementary.

2 “Now, perhaps I am just a man with a hammer who sees everything in the world as a nail, but the paper reinforced my thinking that the more our systems are built to guarantee that the user is the conscious agent of information release (rather than having this done on his behalf), the better privacy is served, and the simpler our lives become from a legal and policy point of view.”

Again, I agree with the basic statement but not the implication. In my view, the user can be “the conscious agent of information release” while still having that act performed on her behalf. For instance, when I write a cheque [check] I consciously act to make a payment, but I then rely on the clearing system to perform that payment on my behalf. In the online environment, I issue instructions to my bank to transfer funds to someone else; that‘s a process I trust a lot more than keeping my salary under the mattress!

So this is a trust model which already works in both the real and the online worlds; I think it can be applied to online attribute exchange as well – not necessarily as the whole and only solution, but certainly as a valid architectural option.

Totally agree, Robin. The option you propose is totally valid for the context you describe. When I was talking about a hammer, it was the hammer of user control and consent. There are many ways to achieve this and implement it in technology. I see you as a colleague who is as committed to this end as I am.

The Liberty Alliance has published a paper called “Circles of Trust: The Implications of EU Data Protection and Privacy Law for Establishing a Legal Framework for Identity Federation” which is available for download here.

The paper was edited by Stephen Deadman and compiled by a very knowledgable panel of contributors including Luc Mathan, Christine Varney, Jeff Hodges, Paul Madsen, Joe Alhadeff, Piper Cole, and Stephanie Manning. It goes well beyond the Privacy and Security Best Practices paper released in 2003.

The paper situates the problems of privacy and data protection that arise when customer data is shared within the context of various European legal and normative initiatives (the thinking will be equally instructive to North Americans). At times I had the feeling the report raised almost as many questions as it answers – and that this was likely intentional. The legal complexities of this style of federation are significant, and they must all be considered.

The paper is a clarifying step forward for all of us who are working on federation solutions and deployments, whether they are based on Liberty profiles or other comparable technologies.

Now, perhaps I am just a man with a hammer who sees everything in the world as a nail, but the paper reinforced my thinking that the more our systems are built to guarantee that the user is the conscious agent of information release (rather than having this done on his behalf), the better privacy is served, and the simpler our lives become from a legal and policy point of view.

Stefan Brands has pubished a Primer on User Identification which can be downloaded here. It is a good introduction to Stefan's thinking and research – very stimulating work.

I know there are people who hear about a metasystem proposal and think, “Can't we just stick with TOKEN-X and have done with it?” And I understand that as a human reaction. But I urge people to look at systems like Stefan's- and the other innovative systems coming from other “identity innovator” colleagues. These systems are being built today. Each of them has characteristics that are ideally suited to various contexts. Let's make sure, as we build an identity infrastructure encompassing a few billion computers, that it will support these innovative ideas.

Of course there were many potential candidates, but the prize for Most Invasive Proposal or Project went to an initiative I have previously called out as a blockbuster. I'm talking about the “Brittan Elementary School RFID tagging of students” project, which broke a whopping four laws of identity in one go (user control and consent, minimal information, fewest parties, and directional identity). The sfgate.com story is here and my commentary on the project's demise is here. There was apparently stiff competiton.

The Privacy International press release reads:

The judges selected Brittan Elementary School for the award. Citing the principal of the school who enjoyed the idea of spying on all students’ whereabouts “because it would streamline the taking of attendance, giving teachers a few minutes more each day to teach and boost accuracy, no small matter given that California school funding is based on how many children attend class each day.” Parents of students reacted negatively and organized campaigns against the scheme. The Big Brother Award will be delivered personally to the principal by concerned parents.

Privacy International also issued a special Lifetime Menace Award to Choicepoint.

I met a number of key thinkers there, people who have worked hard for a long time to understand what privacy really is and how to protect it as technology evolves and we settle cyberspace. I came away hoping they will work with us – and blog with us – to ensure our thinking about the identity metasystem contributes as much to the protection of privacy as it does to any other aspect of security. Privacy and security are not possible without each other.

Eric Norlin recently wrote that he'd “never actually found a privacy paper interesting enough to read past page 2.” I've heard that complaint before, so I want to turn him on to Steve Mann. Eric, Steve will not bore you. I think it was clever the way conference organizers used Steve's ideas to frame a number of discussions.

One such idea is called “sousveillance” – a response to what he calls “The surveillance super highway”. Steve has taken those little black domes that hide surveillance cameras intended to observe individuals, and used them to make personal surveillance systems that work in the opposite direction (through which the individual can record his treatment by organizations – see the photo at right for an example…) He ups the “anti” by calling them “maybecameras” – maybe they are real, maybe they are on, maybe they are recording, maybe they are broadcasting (he has developed sophisticated mechanisms for broadcasting video images in real time, and assembling them at a base station into wrap-around visual representations which can even be manipulated to edit out unpleasant sights like billboards). Of course, the maybecameras are really a “situationist” intervention, through which everyone starts thinking about many privacy issues.

So get this. The conference organizers actually turned every conference bag into a maybecamera replete with its individual dome… It was really bizarre and effective, causually mixing with hundreds of other dome-carriers at a conference with a title of “Panopticon”… And guess what? It's the first time I have come home from a conference with something both my (university age) children wanted!

The good news (in terms of future conversation) is that the folks from eyetap.org sent me this update:

Slides from the conference keynote, opening plenary panel (Steve Mann, David Brin, Latanya Sweeney, and others) are in wearcam.org/cfp2005/

Pictures are here, including pictures of the dome sewing party where many well known volunteers such as John Gilmore, Jon Pincus, Deborah Pierce, etc., helped to make 500 maybecameras, one for each conference attendee. Some of the maybecameras had wireless transmitters to send live video offsite, but attendees did not know whether or not they were watching.

Jack Krupansky has pointed out that if we want to speak to a wider audience, we need a really crisp problem statement. Speaking of the latest identity meltdown at University of California, he says:

Do you think that Senator Feinstein, et al are in possession of a rock-solid “problem statement”? I think not. And these are the policy decision-makers who can make or break identity “reform” efforts. Call this Jack's One Law For Everything: Without a rock-solid problem statement, there can be no joy.